PHP :: Bug #78507 :: Segmentation Fault at zend

Bug #78507	Segmentation Fault at zend_strtod
Submitted:	2019-09-06 21:41 UTC	Modified:	2019-09-06 21:49 UTC
From:	ryan at amezmo dot com	Assigned:
Status:	Not a bug	Package:	Reproducible crash
PHP Version:	7.2.22	OS:	Ubutun 16.04.6
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2019-09-06 21:41 UTC] ryan at amezmo dot com

Description:
------------
Reproducible Segmentation Fault on PHP 7.22.2. 

Test script:
---------------
https://gist.github.com/rmccullagh/da48753127b8628318e291628fe14be8

$crasher = new PhpVersionCollection();

var_dump($crasher->exists('7.2'));


Expected result:
----------------
bool(true)

Actual result:
--------------
Segmentation fault: 11


-- BEGIN GDB OUTPUT--

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php-fpm: pool www                                                            `
Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x000055b766a11bc0 in _is_numeric_string_ex (str=<optimized out>, length=<optimized out>, lval=0x7ffdf198b068, dval=0x7ffdf198b078, allow_errors=0, oflow_info=0x7ffdf198b060)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.c:2952
#1  0x000055b766a12703 in is_numeric_string_ex (oflow_info=0x7ffdf198b060, allow_errors=0, dval=0x7ffdf198b078, lval=0x7ffdf198b068, length=<optimized out>, str=0x7f834505e618 "7.2")
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.h:142
#2  zendi_smart_strcmp (s1=0x7f834505e600, s2=0x7f832300dce0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.c:2769
#3  0x000055b766938a9d in fast_equal_check_string (op2=0x7f8323f8f4f8, op1=0x7f8331cf8be0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_operators.h:798
#4  php_search_array (behavior=0, return_value=0x7f8331cf8b80, execute_data=0x7f8331cf8b90) at /build/php7.2-PSQlLg/php7.2-7.2.22/ext/standard/array.c:1614
#5  zif_in_array (execute_data=0x7f8331cf8b90, return_value=0x7f8331cf8b80) at /build/php7.2-PSQlLg/php7.2-7.2.22/ext/standard/array.c:1653
#6  0x000055b766acaca6 in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER () at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:816
#7  execute_ex (ex=0x7f834505e618) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:59762
#8  0x000055b766a0a8f2 in zend_call_function (fci=0x7f8331cf8b20, fci@entry=0x7ffdf198b310, fci_cache=fci_cache@entry=0x7ffdf198b2e0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute_API.c:820
#9  0x000055b766a39cf4 in zend_call_method (object=object@entry=0x7ffdf198b3f0, obj_ce=<optimized out>, obj_ce@entry=0x7f8332dc5400, fn_proxy=fn_proxy@entry=0x0,
    function_name=function_name@entry=0x55b766b00bec "offsetexists", function_name_len=function_name_len@entry=12, retval_ptr=retval_ptr@entry=0x7f8331cf8b10, param_count=1, arg1=0x7ffdf198b3e0,
    arg2=0x0) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_interfaces.c:100
#10 0x000055b766a55e74 in zend_std_read_dimension (object=<optimized out>, offset=<optimized out>, type=3, rv=0x7f8331cf8b10) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_object_handlers.c:795
#11 0x000055b766a6645f in zend_fetch_dimension_address_read (slow=0, support_strings=1, type=3, dim_type=16, dim=0x7f8331cf8af0, container=0x7f8331cf8b00, result=0x7f8331cf8b10)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1826
#12 zend_fetch_dimension_address_read_IS (result=0x7f8331cf8b10, container=container@entry=0x7f8331cf8b00, dim=<optimized out>, dim_type=dim_type@entry=16)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1860
#13 0x000055b766a66a06 in ZEND_FETCH_DIM_IS_SPEC_TMPVAR_CV_HANDLER () at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:52145
#14 0x000055b766ac7e8b in execute_ex (ex=0x7f834505e618) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:63467
#15 0x000055b766a0a8f2 in zend_call_function (fci=0x7f8331cf8aa0, fci@entry=0x7ffdf198b660, fci_cache=fci_cache@entry=0x7ffdf198b630) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute_API.c:820
#16 0x000055b766a39cf4 in zend_call_method (object=object@entry=0x7ffdf198b740, obj_ce=<optimized out>, obj_ce@entry=0x7f8332dc5400, fn_proxy=fn_proxy@entry=0x0,
    function_name=function_name@entry=0x55b766b00bd8 "offsetget", function_name_len=function_name_len@entry=9, retval_ptr=retval_ptr@entry=0x7f8331cf8a90, param_count=1, arg1=0x7ffdf198b730, arg2=0x0)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_interfaces.c:100
#17 0x000055b766a55df3 in zend_std_read_dimension (object=<optimized out>, offset=<optimized out>, type=3, rv=0x7f8331cf8a90) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_object_handlers.c:810
#18 0x000055b766a6645f in zend_fetch_dimension_address_read (slow=0, support_strings=1, type=3, dim_type=16, dim=0x7f8331cf8a70, container=0x7f8331cf8a80, result=0x7f8331cf8a90)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1826
#19 zend_fetch_dimension_address_read_IS (result=0x7f8331cf8a90, container=container@entry=0x7f8331cf8a80, dim=<optimized out>, dim_type=dim_type@entry=16)
    at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute.c:1860
#20 0x000055b766a66a06 in ZEND_FETCH_DIM_IS_SPEC_TMPVAR_CV_HANDLER () at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:52145
#21 0x000055b766ac7e8b in execute_ex (ex=0x7f834505e618) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_vm_execute.h:63467
#22 0x000055b766a0a8f2 in zend_call_function (fci=0x7f8331cf8a20, fci@entry=0x7ffdf198b9b0, fci_cache=fci_cache@entry=0x7ffdf198b980) at /build/php7.2-PSQlLg/php7.2-7.2.22/Zend/zend_execute_API.c:820
#23 0x000055b766a39cf4 in zend_call_method (object=object@entry=0x7ffdf198ba90, obj_ce=<optimized out>, obj_ce@entry=0x7f8332dc5400, fn_proxy=fn_proxy@entry=0x0,
    function_name=function_name@entry=0x55b766b00bd8 "offsetget", function_name_len=function_name_len@entry=9, retval_ptr=retval_ptr@entry=0x7f8331cf8a10, param_count=1, arg1=0x7ffdf198ba80, arg2=0x0)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-09-06 21:49 UTC] nikic@php.net

-Status: Open +Status: Not a bug

[2019-09-06 21:49 UTC] nikic@php.net

This is an infinite recursion stack overflow. Your offsetGet() implementation uses $this[$key] ?? null, which will in turn call offsetGet().

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 18:01:28 2024 UTC